The Draft Investigatory Powers Bill has been published which sets out a
new framework within which your Internet use can be monitored in various ways.
These powers raise significant questions as to their effectiveness. Sebastien
Lahtinen, co-founder of thinkbroadband.com, sets out some of the difficulties
with the proposed Bill.

Trust & changes in behaviour

The Snowden revelations have made us all more aware of the interception
activities of the intelligence services and as a result we have seen Internet
companies starting to employ strong encryption to protect
their customers' data to protect their own reputations. For example, Apple have
told a court that it is 'impossible' for it to unlock iPhones running its latest
iOS operating system. If companies are going to be required to compromise their
products to enable monitoring of users, this will encourage users to implement
their own encryption methods with software they trust (e.g. which has been
peer-reviewed such as by the open source community) in a way which cannot be
compromised as easily. Similarly, it is trivial to encapsulate any Internet
traffic through a number of encrypted methods such as the use of Virtual
Private Networks (VPNs) or other tunnelling techniques to hide the true
source/destination of communications and the profiling this facilitates.

Whilst this type of security activity may only currently be used by a small
number of privacy- conscious individuals for personal security with most using
the default settings on phones and applications they use, these tools are
likely to become easier to use and will in due course become more prevalent; it
would be a foolish criminal or terrorist, who did not consider use of such
systems and rely solely on systems provided by the major companies likely to be
required to weaken their protections under this law.

Security of data — exposing UK companies and consumers to new
risks

Whenever you collect data, there is a risk that this will one day be
compromised. Technical systems are not fool proof, and the fact Edward Snowden
was able to expose some of the innermost secrets of the U.S. intelligence and
diplomatic services is a case in point that not even the most secretive of
agencies are able to keep their data safe. The Internet Service Providers are
being asked to retain Internet Connection Records (ICRs) which will contain
details of who is accessing which services or websites. Only recently one of
the largest UK broadband providers, TalkTalk has been hacked and customer
details stolen. If this can happen, what makes anyone think that ICRs would be
absolutely safe from such an attack?

Imagine the scenario of the next cyber-attack where a major UK broadband
provider's database of websites you have visited was hacked and the data stolen
by hackers based in a far away country. You receive an e-mail which states that
the hacking group have identified you from the ICRs and the fact you have
visited a website which you might be embarrassed to admit publicly or would
just prefer to keep private. This might be a website or group of websites that
identifies some of your political views, religious beliefs, sexual orientation,
or information about your health, and you may not even have actually visited
those sites. Of course visiting such websites doesn't necessarily imply
anything as it provides no context, but publication of this information may
still cause you significant distress. The e-mail asks for you to pay one
bitcoin (a virtual currency which cannot be easily traced; currently around
£315) to avoid this data being published.

Ashley Madison, a web site facilitating adulterous affairs was hacked a few
months ago, exposing the personal details of its members. This has reportedly
resulted in suicides of some individuals whose names were associated with
the website. This shows that the cost of illegal access to such data cannot be
measured merely in financial terms, and no amount of compensation can undo the
damage that collecting sensitive personal data can cause to victims.

Even Anonymisation of the data is no guarantee that it could not be linked
back to individuals. Last year, we saw how journey data from New York Taxis could be used to link back
individuals to habits such as visiting gentlemen's clubs.

What constitutes an Internet Connection Record?

An Internet Connection Record is about identifying who is using what
services or connecting to which websites (or IP addresses to be precise). You
might feel safe now thinking that you don't visit any websites which you would
consider embarrassing but if you understand how web pages work, you will soon
realise how visiting an innocuous page might mean your web browser connects to
a website which you may not actively wish to visit, yet an ICR would be created
linking your device or identity to a website which might be embarrassing.
Trying to prove a negative, that you didn't in fact visit the website, would be
rather difficult.

Equipment interference

There are provisions for the security services to undertake equipment
interference (also known as hacking) which may give access to a system which
would otherwise not be possible. Such an activity may well be for the benefit
of society of it identifies a terrorist and prevents an attack and few people
would argue against that, but what if this interference results in a security
weakness in a system which is then exploited by criminals for their own
purposes? Who would be liable for the consequences? How would victims even know
when this was as a result of an action authorised under this Bill?

Conclusion

There is no doubt that we need to modernise the laws to take into account
the ever evolving nature of the Internet, and targeted interception must be
part of this. Tracking visitors to terrorist content or child abuse images may
be necessary to prevent attacks against the country or vulnerable individuals,
however recording visits to every single website is bound to eventually lead to
tragic consequences for law abiding individuals and may result in a chilling
effect on freedom of speech. Would you think twice about visiting the website
of a controversial political party to find out their side to an issue and risk
being labelled a racist? Many of these issues need to be worked through with a
full analysis of the unintended consequences, before the impact of the proposed
Bill will become clear.

Comments

Posted by
mervl about 1 year ago
Fear is a more effective weapon than bombs or armies. The terrorists know that only too well.

Posted by
AndrueC about 1 year ago
So do governments. And religions. It's a universal truism that anyone who wants to manipulate people knows.

Posted by
davidinnotts about 1 year ago
Good article, Sebastien. But you don't cover one key point which the media seem keen to sideslip, too: it is of supreme indifference to security agencies whether their access to your data results in the possible attacks and scams you describe so well. As long as they have access for counter-terrorism, any criminal consequences are an issue for governments to deal with, not a reason for them to stop insisting on access to all personal data. The fact that only organized criminals, terrorist groups and other governments can protect themselves is not a reason to stop, either.

Posted by
Skilty about 1 year ago
What I also find interesting is that "The Wilson Doctrine" will be enshrined in law. There was mention of journalists but interestingly (unless I missed it) no mention of communication between a solicitor and their client(s).

It seems that politicians have ensured they are exempt. David Chaytor, Jim Devine, Elliot Morley, Eric Illsley, Margaret Mora, Lord Taylor and many others have had suspended sentences or prison terms.

Posted by
DrMikeHuntHurtz about 1 year ago
So the lesson from this... use a VPN.

Posted by
gerarda about 1 year ago
I think there is a superfluous r in the title

Posted by
mdar5 about 1 year ago
If you lot on here think VPN providers do not keep records (despite what they might say) or that will be only to eager to provide the info when when the police call and 'suggest' that they might like to cooperate, then you are living in laa laa land.

Posted by
Spud2003 about 1 year ago
Unless you can actually provide evidence that VPN providers who claim not to log do then all you have is an opinion. There are plenty of them claiming not to log and they'd be out of business if just a single disgruntled employee said otherwise -

Posted by
GeeTee about 1 year ago
VPN is all well and good. Endpoint to endpoint encryption of messaging is all well and good. Those may get you out of the dragnet.

But consider https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473740/Factsheet-Targeted_Equipment_Interference.pdf

^^ This is riding along with the proposed IPB... basically encrypt your comms, expect an endpoint exploit to capture content before encryption kicks in. Using a VPN or TOR just paints a target on your own back.

Insidious is an understatement.

Posted by
GeeTee about 1 year ago
As could have been predicted from some distant orbit, that document harnesses the Islamist extremists, paedos, organised crime, terrorists, "cyber-attack" whatever that may be in order to get the message across.

Whatever you do... be very afraid.... or something, whatever just submit.

Write to your MP... kill this thing.

Posted by
ValueforMoney about 1 year ago
I am not sure it will ever possible to stop these folk collecting data.
The Legal use of any data should I think acknowledge that the data itself cannot be relied upon as evidence against a person, thus acknowledging that the naming and numbering for the internet is such a kludge. I do not own my phone number, or IP address; I do not control where these are registered or maintained. This must have a legal bearing on the status of any information stored against numbers loosely associated against me.

Posted by
Blackmamba about 1 year ago
Hi Broadband Watchers.
Only a few years ago before broadband ,data colection was called SVI service interception today it is called Hacking which can be done by any person so it is the responsibity of the individual not to be Hacked. When SVI was used it had to go via the courts to collect data for prosecution.

Posted by
seb ( staff member)
about 1 year ago
ValueforMoney: You're absolutely right in the difficulties using the data for 'legal' purposes.. but the abuse is far more likely to be related to unlawful and illegal uses where burdens of proof don't exist.. rumours and conjecture will take over.

Posted by
ValueforMoney about 1 year ago
@Andrew Perhaps, but one step at a time. The key in pogressing the matter over time is establishing that the data cannot be trusted for legal purposes, and perhaps can be used to narrow an investigation to remove rumour and conjecture. You looking in a haystack for a needle of unknown quality and dimension. You have to definitively assume innocence until other evidene emerges.

Posted by
Teefenn1 about 1 year ago
You haven't mentioned the most dangerous and insidious aspect of this Bill, i.e. the secrecy. Any provider that has had a Communications Data Retention Notice served on them will be prevented by thsi law from ever disclosing this fact to their customers or anyone else. I know my ISP, AAISP, would never willingly cooperate and have no current systems to log web visits. However should they be served with a notice they will be barred from telling me so, on pain of being criminalised.